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TITLE OF THE INVENTION 
ENCRYPTION METHOD, DECRYPTION METHOD, 
CRYPTOGRAPHIC COMMUNICATION SYSTEM 
AND ENCRYPTION DEVICE 

5 

BACKGROUND OF THE INVENTION 

The present invention relates to an encryption method for 
encrypting a plaintext into a ciphertext, a decryption method for decrypting 
a ciphertext into a plaintext, a cryptographic communication system using 

10 these encryption method and decryption method, an encryption device for 
perfoimuig the encryption method, and a memory product/data signal 
embodied in carrier wave for recordmg/transferring an operation program 
of the encryption method. 

In the modern society, called a highly information - oriented society, 

15 based on a computer network, important business documents and image 
information are transmitted and communicated in a form of electronic 
information. Such electronic information can be easily copied, so that it 
tends to be difficult to discriminate its copy and original from each other, 
thus bringing about an important issue of data integrity. In particular, it is 

20 indispensable for establishment of a highly information oriented society to 
implement such a computer network that meets the factors of "sharing of 
computer resources," "multi-accessing," and "globalization," which however 
includes various factors contradicting the problem of data integrity among 
the parties concerned. In an attempt to eliminate those contradictions, 

25 encrypting technologies which have been mainly used in the past military 
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and diplomatic fields in the human history are attracting world attention as 
an effective method for that purpose. 

A cipher communication is defined as exchanging information in 
such a manner that no one other than the parties concerned can 
5 understand the meaning of the information. In the field of cipher 
communication, encryption is defined as converting an original text 
(plaintext) that can be understood by anyone into a text (ciphertext) that 
cannot be understood by the third party and decryption is defined as 
restoring a ciphertext into a plaintext, and cryptosystem is defined as the 

10 overall processes covering both encryption and decryption. The encrypting 
and decrypting processes use secret information called an encryption key 
and a decryption key, respectively. Since the secret decryption key is 
necessary in decryption, only those knowing this decryption key can decrypt 
ciphertexts, thus mamtaining data security. 

15 The encryption scheme is roughly classified into two types: 

common-key cryptosystem and public-key cryptosystem. In a common-key 
cryptosystem, an encryption key and a decryption key are identical with 
each other, and a sender and a recipient perform cryptographic 
communications by possessing an identical common key. The sender 

20 encrypts-a plaintext based on a secret common key and transmits the 
resultant ciphertext to the recipient, and then the recipient decrypts the 
ciphertext into the original plaintext by using this common key. 

On the other hand, in a public-key cryptosystem, an encryption key 
and a decryption key are different from each other, and cryptographic 

25 communications are performed by encrypting a plaintext by the sender 
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with the use of a publicized public key of the recipient and decrypting the 
resultant ciphertext by the recipient with the use of its own secret key. 
The public key is a key used for encryption and the secret key is a key used 
for decrypting the ciphertext transformed by the public key, and the 
5 ciphertext transformed by the public key can be decrypted only by the secret 
key. 

Regarding the product-sum type cryptosystem using an operation 
on an integer ring, which is one of the public-key cryptosystems, new 
schemes and attacking methods have been proposed one after another. In 

10 particular, development of encryption/decryption techniques capable of 

performing high-speed decryption has been desired so as to process a large 
quantity of information in a short time. Then, the present inventors 
proposed an encryption method and a decryption method of the 
product-sum type cryptosystem, which enable high-speed decryption 

1 5 processing by using multradic numbers (Japanese Patent Application 
Laid-Open No. 2000-89668). 

The process of the encryption method and the decryption method is 
performed as follows. A plaintext to be encrypted is divided into K parts, 
thereby obtaining a plaintext vector m = (mi, m.2, mis). Using a base 

20 product generated by bases bi (l^i^K) and using random numbers Vi, the 
Bi = Vi bi b2 ... bi are defined. Using a prime number P, a random number w, 
and the Bi, public keys Ci are calculated by Ci = w Bi (mod P). Here, the Ci 
are public keys while the bi, Vi, P, and w are secret keys. Using the public 
keys Ci, a sender encrypts to obtain a ciphertext C = mi ci + m2 C2 + ... + ms 

25 ck. A recipient calculates an intermediate decrypted text M = w -1 C (mod 



4 

P), thereby to decrypt by a sequential decryption algorithm. As such, the 
plaintext is expressed by multradic numbers, whereby a high-speed 
decryption can be performed. 

Further, in order to prepare against low-density attacks using the 
5 LLL (Lenstra-Lenstra-Lovasz) algorithm, the present inventors have 
proposed an improvement of the above-mentioned encryption method 
(Japanese Patent AppEcation No. 11- 173338(1999), referred to as "prior 
example" hereafter). This prior example is a reduced product-sum type 
cryptoscheme using error correcting codes, and includes the following 
10 alteration to the above-mentioned encryption method and decryption 
method. 

1. Each divided plaintext to be encrypted is error-correction encoded, 
and used as the above-mentioned mi. 

2. An appropriate number of reduced bases are used for the bases 
15 {bi} after a predetermined position, and normal bases are used otherwise. 

Here, the reduced bases and the normal bases satisfy mi-i^bi and mi_i<3bi, 
respectively. 

3. The mi indecryptable due to the influence of the reduced bases 
are decrypted using the capability of the error correcting codes. 

20 ~ In the prior example, it has been found that the mi can be decrypted 
up to the position of the firstly appearing reduced base. Thus, despite that 
the firstly appearing reduced base is preferred to locate at a most possible 
ascending position, such an approach requires a large capability of error 
correction, thereby causing a problem of impracticality. 

25 However, such a technique using reduced bases permits the density 
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(input plaintext length / ciphertext length) to be increased by increasing the 
redundancy of the plaintext, and hence is an effective technique expected to 
be capable of increasing the resistance to attacks depending on the LLL 
algorithm. Thus, the present inventors have been researching further 
5 techniques of the reduced product-sum type cryptoscheme. 

BRIEF SUMMARY OF THE INVENTION 
An object of the present invention is to provide : an encryption 
method and a decryption method capable of avoiding the problem in the 

10 prior example, having resistance to attacks depending on the T,T,L 
algorithm, and performing high-speed encryption and decryption; a 
cryptographic communication system and an encryption device using the 
same? and a memory product/data signal embodied in carrier wave for 
recoro^g/transferring an operation program of the encryption method. 

15 The prior example of the reduced product-sum type cryptoscheme 

using error correcting codes has a higher density than a conventional 
product-sum type cryptoscheme. Accordingly, it had been thought to be 
resistant to attacks depending on the LLL algorithm, but has been found to 
be decryptable. The decryptability results from that the reduced bases are 

20 located in the last part continuously. Thus, it is concluded that the reduced 
bases are to be located in a rather forward part in order to effectively 
increase the resistance to attacks depending on the TIT, algorithm. 
However, in the prior example, the locating of reduced bases in a forward 
part requires a larger capability of error correction. 

25 The proposal in the present invention is a reduced product-sum 
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type cryptoscheme using an extended transformation of a plaintext. The 
present invention introduces a new technique of the extended 
transformation in place of the error correction coding. A predetermined 
transformation is applied on a plaintext vector to be encrypted, thereby 
5 generating a transformation vector for increasing the density, thereby 

perforating an extended transformation. Then, a ciphertext is generated by 
the product- sum operation between the components of a public key vector 
and the components of the plaintext vector and the transformation vector. 
In the decryption of the ciphertext, reduced parts, to which an ordinary 

10 decryption method is inapplicable, are reproduced according to the 
above-mentioned predetermined transformation. 

In the present invention, the technique of extended transformation 
of plaintext permits arranging of more reduced bases. Thus, with keeping 
the high speed in encryption and decryption, the density can be easily set to 

15 high to increase the resistance to attacks depending on the T 1 1 , algorithm. 
Further, a complicated encryption/decryption process like error correction 
coding is unnecessary, and hence encryption/decryption can be carried out 
easily. 

The above and further objects and features of the present invention 
20 will more fully be apparent from the following detailed description with 
accompanying drawings. 

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE 
DRAWINGS 

25 FIG. 1 is a schematic diagram showing a situation of 
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communication between two entities in accordance with the present 
invention. 

FIG. 2 is a diagram showing the configuration of an embodiment of 
a memory product of the present invention. 

5 

DETAILED DESCRIPTION OF THE INVENTION 

The embodiments of the present invention are described below in 

detail. 

FIG. 1 is a schematic diagram showing a situation that an 
10 encryption method adopting the reduced product-sum type cryptoscheme in 
accordance with the present invention is used in the information 
communication between entities a, b. In the example of FIG. 1, one entity a 
encrypts a plaintext X into a ciphertext C, and sends the ciphertext C 
through a communication channel 1 to another entity b. The entity b then 
1 5 decrypts the ciphertext C into the original plaintext X. 

The entity a on the sender side comprises^ a plaintext divider 2 for„ 
dividing a plaintext X into a plurality of divided plaintexts thereby to obtain 
a plurality of messages mi, m.3, mg_i, a dummy message generator 3 
for generating dummy messages rru, m2j, ... from those 
- 20 odd-number-th messages mi, m3, rng-i, ... in order to increase the 
density; and an encryptor 4 for generating a ciphertext C using these 
messages mi, ma, m3, nu, mg-i, m.2j, mx and public keys ci, C2, ck- 
On the other hand, the entity b on the recipient side comprises a decryptor 5 
for calculating the messages mi (l^i^K) according to a branching 
25 sequential decryption algorithm described later thereby to decrypt the sent 
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ciphertext C into the original plaintext X. 



The detail of the technique is described below. 



[Preparation] 



5 



Secret keys and public keys are prepared as follows. 
* Secret keys: {bj}, {vj, P, w 
•Public keys: {ci},f(-) 



Let the size of each message mi be e bits, then each message mi 



satisfies the following (l). 



mi < 2 e 



-(1) 
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First, the plaintext X is divided, thereby obtaining the 



odd-number-th messages mi, m3, m.2j_i, .... Next, using the message 
generating function f( • ), the even-number-th messages m% nu, mg, ... are 
generated from the odd-number-th messages mi, m3, m.2j_i, thereby 
carrying out the extended transformation of the plaintext. Here, the 
15 even-number-th messages m.2, ni4, m2j, ... are dummy messages for 

increasing the density. The number of truly effective messages is expressed 
by the following (2) with the total number K of the messages. 




( 2") 



20 



Further, the bases bi are assumed to be integers satisfying the 



following (3). 



2 e + cT; ( 1 « d; «2 e ) 

K i=2 j ) 



b i = 



2 e + <T;'( 1 « 6 :'«2 e ', e'<e ) 

( i=2 j-1 ) ■•• ( 3 ) 



25 
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Multiplying a base product bi b2 ... bi by a random number vi, a base 
vector B = (Bi, B2, Bk) is denned by the following (4). 

Bi = vibib 2 ...bi -(4) 
Here, the random numbers Vi are set so that the components Bi 
5 shown in the above-mentioned (4) are in the same order of magnitude with 
each other, while gcd(vi, bi+i)=l is requested. 

Using the random number w, the public keys Ci are obtained by the 
modulo transformation shown in the following (5). 

ci = wBi (modP)— (5) 

10 [Encryption] 

A ciphertext C is obtained by a product-sum operation using the 
messages mi and public keys Ci. Specifically, the ciphertext C is expressed by 
the following (6). 

C = miCi + m2C2 + ... + m.KCK *"(6) 

15 [Decryption] 

Decryption processing is carried out as follows. An intermediate 
decrypted text M for the ciphertext C is calculated by the following (7). 
M = w-iC(modP) -(7) 
Then, the decryption into the messages mi is performed according to 
20 a branching sequential decryption algorithm shown in the following (8). 



25 



Branching Sequential 
.Decryption Algorithm 

Step ] 



m 1 = M 1 v^ 1 (mod b 2 ) 

Stepi(2^i^K-1) 

Mi-i-m vi-i 



M ; = 



M; ( mod b i+1 ) ( i=2 j-1 ) 
f ( m ;_t ) ( i=2 j ) 



S tep K 

K^even number 

■ no processing 

K : o d d number 
u Mk-i - m k-1 VK-l 

M k = — 



m K = M kV k 
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In this algorithm, the odd-number-th messages mi are decrypted by 
a conventional technique, and the even-number-th messages mi are 
decrypted by mi = f(mi_i) using the message generating function f( * ). 

The message generating function ft*) is discussed below. In order for 
5 an encryption method of the present invention to have a high resistance to 
attacks depending on the LLL algorithm, the f( • ) shall not be linear. For 
example, in case of the identity transformation f( • ), that is, in case that mg 
= m2j-i, the ciphertext C can be rewritten as the following (9). Accordingly, 
by changing the number of the public keys into the number shown in the 
10 following (l l) by the substitution shown in the following (10), and by 
applying a low-density attack, the plaintext can be obtained. 

C = rn -| c 1 +m 2 c 2 + + nn K c k 
= m ! ( c 1 +c 2 ) + + m K _ 1 ( Ck-t -f c K )• • • ( 9 ) 

15 cj^c^ +c 2i (i^l J<±L|). (10) 



K + 1 



••(11) 



However, a non-linearity of the f( * ) is not necessarily sufficient for 
20 security. For example, in case that ftx) = a x + b (for example, when the f( • ) 
inverts each bit of the messages mi, a = —1 and b = 2 e — l), the ciphertext C 
can be rewritten as the following (12), and the following (13) and (14) are 
obtained. Accordingly, by changing the number of the public keys into the 
number shown in the following (15), and by applying a similar low-density 
25 attack, the plaintext can be obtained. 
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C = m ] C c t + a c 2 )+ + b ( c 2 -f c 4 + - + c K ) 

LlK+i ]/2j " " ' ( ^ 2 ) 

C' = C - b2 c 2J •••(13) 

c t ' = c 2t + 1 + a c 2t +2 " • • (14) 
K + 1 1 .-(15) 



Examples of a safe message generating function K • ) are shown in 
the following (16) and (17). Here, the q is a prime number of e bits, and the 
10 u is an integer of e bits. 

f(x)=x 2 mod q ■•■ (16) 

f ( x) = x 0 u ■•■(17) 

/© : exc I us i ve OR operation 
\ of each bit 

15 The message generating function f( * ) may be made public by a 

reliable center or an entity. Since the bit operation in the fv * ) is a non-linear 
transformation on an integer ring, when a logical operation such as shown 
in the above-mentioned (17) is introduced, the entity may make public the u 
alone corresponding to the f( * ) with a parameter u which is made public by 

20 the center. 

Next, the encryption rate and the density in an encryption method 
of the present invention is discussed below. Encryption rate r in a reduced 
product-sum type cryptography is defined by original plaintext length / 
ciphertext length. Density p is defined by plaintext length input into 
25 reduced product- sum type cryptography / ciphertext length. In the scheme 
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of the present invention, the density p is defined by extended plaintext 
length / ciphertext length. Here, plaintext length Lp, extended plaintext 
length Le, and ciphertext length Lc are defined by the following (18), (19), 
and (20), respectively. Then, encryption rate r and density p are expressed 
5 by the following (21) and (22), respectively. 



10 



15 



20 



Lp = 



e ••• (18) 



L e - K e ••■(19) 



Lc * 



(K:even number) 



20) 



L P ^ e 

L c ' e+e' + ( I o g 2 K)/K 

Le 



(K:odd number) 
••• (21 ) 



Lr 



( 22 ) 



In the cryptoscheme of the present invention, when the value e'/e 
and hence the bit size e' of the reduced bases becomes small, the encryption 
rate r increases as well as the density p . Accordingly, the contraction of 
25 reduced base size permits a high resistance to attacks depending on the 
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LLL algorithm. 

In an encryption method of the present invention, from the 
above-mentioned (20) and (22), the density p exceeds 1 even in the case of 
the minimum block number K=3. Thus, a high resistance is expected to 
5 attacks depending on the LLL algorithm. In this case, if e=64 and e'/e= a , 
the ciphertext length Lc satisfies the following condition (23). This provides 
a design of an epoch-making cryptoscheme having a far smaller block size 
than that of prior art public-key cryptography. 

Lc = 128+1.6 + 64a < 194 ■•■(23) 

10 FIG. 2 is a diagram showing the configuration of an embodiment of 

a memory product in accordance with the present invention. The program 
illustrated here contains in the above mentioned example the processes of 
dividing the plaintext to be encrypted thereby to obtain the odd-number-th 
messages," generating the even-number-th messages from the 

15 odd-numberth messages using the message generating function f\ * ); and 
generating the product-sum type ciphertext using these messages and the 
public keys! or contains the process of decrypting the ciphertext into the 
original plaintext according to the above-mentioned branching sequential 
decryption algorithm, and further recorded in a memory product described 

20 - below. A computer 20 is provided in an entity on the sender side or the 
recipient side. 

In FIG. 2, a memory product 21 is composed of, for example, a 
server computer on the WWW (World Wide Web) installed apart from the 
installed location of the computer 20. In the memory product 21, a program 
25 21a described above is recorded. The program 21a read out from the 
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memory product 21 via a transfer medium 24 such as a communication line 
controls the computer 20 so as to generate a ciphertext from a plaintext or 
decrypt a ciphertext into a plaintext. 

A memory product 22 provided in the interior of the computer 20 is 
5 composed of a disk drive, a ROM, or the like built in. In the memory product 
22, a program 22a described above is recorded. The program 22a read out 
from the memory product 22 controls the computer 20 so as to generate a 
ciphertext from a plaintext or decrypt a ciphertext into a plaintext. 

A memory product 23 used in the loaded state into a disk drive 20a 

10 provided in the computer 20 is composed of an magneto-optical disk, a 

CD-ROM, a flexible disk, or the like portable. In the memory product 23, a 
program 23a described above is recorded. The program 23a read out from 
the memory product 23 controls the computer 20 so as to generate a 
ciphertext from a plaintext or decrypt a ciphertext into a plaintext. 

15 Although the description of the above-mentioned example has been 

made for a case of cryptographic communication system, an encryption 
method of the present invention is obviously applicable also in a case that a 
plaintext is encrypted into a ciphertext and that the generated ciphertext is 
merely recorded. 

20 As described above, in the present invention, encryption is 

performed by making use of the extended transformation of plaintext, 
which increases the resistance to attacks depending on the LLL algorithm 
in comparison with the prior example. Further, in contrast to the prior 
example using error correction coding, a complicated enayption/decryption 

25 process is unnecessary. Thus, the process of calculation during 
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encryption/decryption can be reduced, and hence, encryption/decryption can 
be carried out easily at a high speed. Furthermore, since the cryptographic 
block number can be made small, a small-scale hardware is sufficient to 
construct a cryptographic communication system. As a result, the present 
5 invention can contribute to a development for the industrial realization of 
the product-sum type cryptography. 

As this invention may be embodied in several forms without 
departing from the spirit of essential characteristics thereof, the present 
embodiment is therefore illustrative and not restrictive, since the scope of 
10 the invention is defined by the appended claims rather than by the 

description preceding them, and all changes that fall within metes and 
bounds of the claims, or equivalent of such metes and bounds thereof are 
therefore intended to me embraced by the claims. 



